Google AdSense malware silently delivers to Android users

Google AdSense malware has been silently delivered to Android devices, but the danger seems to be mitigated by Google itself.

Researchers have found a new variant of an old Trojan being silently delivered to Android devices via the Google AdSense network, but Google's protections should be keeping users safe.

New research from Kaspersky Lab identified a variant of the Svpeng mobile banking Trojan being delivered to Android devices without any user interaction necessary.

Mikhail Kuzin and Nikita Buchka, malware analysts for Kaspersky Lab, based in Moscow, described the finding in a blog post.

"There you are, minding your own business, reading the news and BOOM! -- no additional clicks or following links required. It turns out the malicious program is downloaded via the Google AdSense advertising network ... anyone can register their ad on this network -- they just need to pay a fee. And it seems that didn't deter the authors of the Svpeng Trojan from pushing their creation via AdSense. The Trojan is downloaded as soon as a page with the advert is visited."

The Svpeng banking Trojan was first discovered in mid-2014. Kuzin and Buchka wrote it "can steal information about the user's bank cards via phishing windows, [as well as] intercept, delete and send text messages," and it "collects an impressive amount of information from the user's phone -- the call history, text and multimedia messages, browser bookmarks and contacts."

Although the Trojan app is silently delivered to Android devices, it cannot perform any of these functions without being installed. This means a user would have to find the downloaded app, install it, turn off Android's standard protections against installing apps from unknown sources, and finally bypass Google's Verify Apps protections, which warn users when they are potentially installing malware.

Buchka described the deception techniques, but said Google's Android security measures have started blocking the AdSense malware.

"The malicious .apk was downloading without [a] user's actions. But the user had to give the permission on the installation. Fraudsters were using file names such as 'last-browser-update' [and] 'important-browser-update' to deceive the unsuspecting user and force him to install malicious .apk. The duped user allowed installation, thinking that it was a critical update," Buchka told SearchSecurity. "At the time of research, Google's Verify Apps protections [were] not detecting this application as potentially dangerous, but now Google's protection stops it."

Join the conversation

3 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please create a username to comment.

They’re currently more than adequate. If someone has to go through all of those steps to install the malware, then they most likely know what they are doing in the first place. However, it’s not so far off to think that, in the near future, malware won’t require any user interaction to be effective.

You might be surprised how many people install a .apk file, turn off Android's standard protections against installing apps from unknown sources, and finally bypass Google's Verify Apps protections. There are many uTest projects in which the mobile app is installed like that.